[refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root.
Date: Fri, 08 Oct 2010 09:41:30 -0400	[thread overview]
Message-ID: <4CAF1F8A.5070004@redhat.com> (raw)
In-Reply-To: <20101008133141.GB6366@localhost.localdomain>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/2010 09:31 AM, Dominick Grift wrote:
> On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote:
>> On 10/08/10 09:11, Christopher J. PeBenito wrote:
>>> On 10/08/10 09:07, Dominick Grift wrote:
>>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote:
>>>>> On 10/08/10 09:01, Dominick Grift wrote:
>>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito
>>>>>> wrote:
>>>>>>> On 10/04/10 14:23, Dominick Grift wrote:
>>>>>>>> diff --git a/policy/modules/admin/sudo.if
>>>>>>>> b/policy/modules/admin/sudo.if
>>>>>>>> index ca36b15..da2afce 100644
>>>>>>>> --- a/policy/modules/admin/sudo.if
>>>>>>>> +++ b/policy/modules/admin/sudo.if
>>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',`
>>>>>>>> files_read_usr_symlinks($1_sudo_t)
>>>>>>>> files_getattr_usr_files($1_sudo_t)
>>>>>>>> # for some PAM modules and for cwd
>>>>>>>> + files_dontaudit_list_default($1_sudo_t)
>>>>>>>> files_dontaudit_search_home($1_sudo_t)
>>>>>>>> files_list_tmp($1_sudo_t)
>>>>>>>
>>>>>>> I'm confused, /root shouldn't be default_t.
>>>>>>
>>>>>> Why not, what do you think it should be?
>>>>>
>>>>> There shouldn't be any default_t files if it can be helped. I would
>>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora.
>>>>
>>>> This patch set is to make "refpolicy" work on minimal fedora
>>>> installations. Its not so much about trying to merge every fedora
>>>> change to refpolicy.
>>>>
>>>> However if you are interested in implementing Fedora's admin_home_t i
>>>> guess i could try that instead. That would mean that for now you can
>>>> disregard all " default" patches.
>>>>
>>>> I just was of the opinion that refpolicy is not interested in
>>>> implementing fedoras admin_home_t solution, and rather stick to
>>>> default_t for /root
>>>
>>> No, /root should definitely not be default_t. If thats what you're
>>> getting out of refpolicy head, we need to figure out why.
>>
>> To clarify, I would expect it to be user_home_dir_t in refpolicy.
> 
> Any particular reason to not implement Fedoras admin_home_t solution instead?
>>
>>
>> -- 
>> Chris PeBenito
>> Tresys Technology, LLC
>> www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

Top Reasons I like labelling /root differently then /home/dwalsh

1.  Admins enter the /root directory every time they run su - or sudo.
And execute .bash type scripts.
2.  If said admins execute /etc/init.d/BLAH script I get avc saying BLAH
tried to read user_home_dir_t, I can add rule saying dontaudit daemon
admin_home_t:dir search_dir_perms;
3.  When someone tries to login via Xwindows as Root, they get denied,
by SELinux.  We do not want X Window sessions running as root and
unconfined_t.
4.  Over 70 domains in Fedora 15 need to write to user_home_dir_t
depending on boolean settings,  I do not want them writing to /root
5.  I can turn off genhomedircon, since I have a label for /root as
admin_home_t.
6.  I want to have confined administrators tread the directories
differently.
7. Confined apps started in /root need to be treated differently.
8. Setroubleshoot plugins can treat access differently.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyvH4oACgkQrlYvE4MpobP03QCgkqc9QhO8dd++6+wA45pqGMw/
3lYAnjKASWpaZyC3afxMLiWnDhdpwnkJ
=0O7C
-----END PGP SIGNATURE-----